BSD Commit Log Search

   py-postorius: Apply an upstream security bug fix.

   Bump PKGREVISION.

   Fix dumpfs to allow NAME=wedge-label on command line

   This is a follow-on from the PR bin/59957 changes, and is being
   included with that PR so it is easier to locate all the tools that
   have been changed this way, so they can all be updated again once
   the new code is moved to libutil where it belongs, and out of src/sbin/fsck.

   When handling of NAME=whatever was added to dumpfs, it was done
   in a way where it could only work when dumpfs was used as

        dumpfs mount-point

   and /etc/fsck contained

        NAME=whatever mount-point  [rest of fstab entry]

   That covers the vast majority of actual uses, but a simple

        dumpfs NAME=whatever

    [5 lines not shown]

   firefox140-l10n: update to 140.10.2

   firefox140: update to 140.10.2

   Mozilla Foundation Security Advisory 2026-41
   Security Vulnerabilities fixed in Firefox ESR 140.10.2

   Announced
       May 7, 2026
   Impact
       high
   Products
       Firefox ESR
   Fixed in

           Firefox ESR 140.10.2

   #CVE-2026-8090: Use-after-free in the DOM: Networking component

   Reporter
       Kevin Brosnan

    [31 lines not shown]

   py-orjson: update to 3.11.9.

   Changed

       Build now depends on Rust 1.95 or later instead of 1.89.

   Fixed

       Fix building on Rust 1.95.

   Revbump all Go packages after go126 security update

   Pullup ticket #7090 - requested by taca
   www/ruby-rack-session: Security fix

   Revisions pulled up:
   - www/ruby-rack-session/Makefile                                1.4
   - www/ruby-rack-session/distinfo                                1.4

   ---
      Module Name:      pkgsrc
      Committed By:     taca
      Date:             Sun Apr 12 15:31:10 UTC 2026

      Modified Files:
        pkgsrc/www/ruby-rack-session: Makefile distinfo

      Log Message:
      www/ruby-rack-session: update to 2.1.2

      2.1.2 (2026-04-08)

    [3 lines not shown]

   Pullup ticket #7089 - requested by taca
   net/p5-Net-CIDR-Lite: security fix

   Revisions pulled up:
   - net/p5-Net-CIDR-Lite/Makefile                                 1.34
   - net/p5-Net-CIDR-Lite/distinfo                                 1.10

   ---
      Module Name:      pkgsrc
      Committed By:     wiz
      Date:             Sat Apr 11 05:08:37 UTC 2026

      Modified Files:
        pkgsrc/net/p5-Net-CIDR-Lite: Makefile distinfo

      Log Message:
      p5-Net-CIDR-Lite: update to 0.23.

      0.23  2026-04-10

    [2 lines not shown]

   Pullup ticket #7088 - requested by taca
   chat/icb: Build fix

   Revisions pulled up:
   - chat/icb/distinfo                                             1.24
   - chat/icb/patches/patch-readline_Make                          1.2

   ---
      Module Name:      pkgsrc
      Committed By:     spz
      Date:             Fri Apr  3 16:46:05 UTC 2026

      Modified Files:
        pkgsrc/chat/icb: distinfo
        pkgsrc/chat/icb/patches: patch-readline_Make

      Log Message:
      build fix
      In NetBSD 11 and possibly also SmartOS the ar 'l' modifier went from

    [6 lines not shown]

   Pull up following revision(s) (requested by skrll in ticket #279):

        common/lib/libc/atomic/atomic_cas_16_cas.c: revision 1.4
        common/lib/libc/atomic/atomic_cas_16_cas.c: revision 1.5
        common/lib/libc/atomic/atomic_cas_8_cas.c: revision 1.4
        common/lib/libc/atomic/atomic_cas_32_cas.c: revision 1.3
        common/lib/libc/atomic/atomic_cas_8_cas.c: revision 1.5
        common/lib/libc/atomic/atomic_cas_8_cas.c: revision 1.6
        tests/lib/libc/atomic/t___sync_compare_and_swap.c: revision 1.4
        tests/lib/libc/atomic/t___sync_compare_and_swap.c: revision 1.5
        common/lib/libc/atomic/atomic_init_testset.c: revision 1.22
        common/lib/libc/atomic/atomic_init_testset.c: revision 1.23
        common/lib/libc/atomic/atomic_cas_64_cas.c: revision 1.4
        common/lib/libc/atomic/atomic_cas_by_cas32.c: revision 1.5

   PR/56839 GCC emits wrong codes for compare_and_swap_1 bultins on armv5 (el & eb)

   There is mismatch in signedness of the GCC builtin __sync_* function arguments
   and the _atomic_* functions so we cannot directly alias them. Instead write

    [13 lines not shown]

   Pull up following revision(s) (requested by mrg in ticket #277):

        sys/fs/cd9660/cd9660_rrip.c: revision 1.19

   cd9660: make sure that NM records are at least 5 bytes long.
   avoids an integer underflow when this length has 5 subtracted from it
   for a later path.

   Reported by Adam Crosser, Praetorian

   Pull up the following, requested by christos in ticket #272:

        crypto/external/apache2/openssl/lib/libcrypto/man/OPENSSL_ppccap.3 up to 1.2
        crypto/external/apache2/openssl/lib/libcrypto/man/BIO_set_flags.3 up to 1.2
        crypto/external/apache2/openssl/lib/libcrypto/man/CMS_EncryptedData_set1_key.3 up to 1.2
        crypto/external/apache2/openssl/lib/libcrypto/man/EVP_CIPHER_CTX_get_app_data.3 up to 1.2
        crypto/external/apache2/openssl/lib/libcrypto/man/openssl-DES_random_key.3 up to 1.2
        crypto/external/apache2/openssl/lib/libcrypto/man/openssl-HMAC.3 up to 1.2
        crypto/external/apache2/openssl/lib/libcrypto/man/openssl-MD5.3 up to 1.2
        crypto/external/apache2/openssl/dist/crypto/modes/asm/aes-gcm-ppc-v1.pl up to 1.1
        crypto/external/apache2/openssl/dist/doc/man3/BIO_set_flags.pod up to 1.1.1.1
        crypto/external/apache2/openssl/dist/doc/man3/CMS_EncryptedData_set1_key.pod up to 1.1.1.1
        crypto/external/apache2/openssl/dist/doc/man3/EVP_CIPHER_CTX_get_app_data.pod up to 1.1.1.1
        crypto/external/apache2/openssl/dist/doc/man3/OPENSSL_ppccap.pod up to 1.1.1.1
        crypto/external/apache2/openssl/dist/doc/man3/X509V3_EXT_print.pod up to 1.1.1.1
        crypto/external/apache2/openssl/dist/test/certs/cve-2026-28388-ca.pem up to 1.1.1.1
        crypto/external/apache2/openssl/dist/test/certs/cve-2026-28388-crls.pem up to 1.1.1.1
        crypto/external/apache2/openssl/dist/test/certs/cve-2026-28388-leaf.pem up to 1.1.1.1
        crypto/external/apache2/openssl/dist/test/certs/ext-timeSpecification-periodic-no-second.pem up to 1.1.1.1

    [3249 lines not shown]

   security/gcr4: disable gtk4 option to avoid pulling the whole stack

   Note update of OpenSSH to 10.3 (ticket #271)

   Pull up the following, requested by christos in ticket #271:

        crypto/external/bsd/openssh/dist/ed25519-openssl.c up to 1.1.1.1
        crypto/external/bsd/openssh/dist/ssherr-libcrypto.c up to 1.1.1.1
        crypto/external/bsd/openssh/dist/ssherr-nolibcrypto.c up to 1.1.1.1
        crypto/external/bsd/openssh/dist/hash.c         delete
        crypto/external/bsd/openssh/dist/PROTOCOL       up to 1.26
        crypto/external/bsd/openssh/dist/addr.c         up to 1.9
        crypto/external/bsd/openssh/dist/addr.h         up to 1.1.1.4
        crypto/external/bsd/openssh/dist/addrmatch.c    up to 1.16
        crypto/external/bsd/openssh/dist/auth-bsdauth.c up to 1.10
        crypto/external/bsd/openssh/dist/auth-krb5.c    up to 1.20
        crypto/external/bsd/openssh/dist/auth.c         up to 1.40
        crypto/external/bsd/openssh/dist/auth.h         up to 1.26
        crypto/external/bsd/openssh/dist/auth2-chall.c  up to 1.22
        crypto/external/bsd/openssh/dist/auth2-gss.c    up to 1.19
        crypto/external/bsd/openssh/dist/auth2-hostbased.c up to 1.26
        crypto/external/bsd/openssh/dist/auth2-pubkey.c up to 1.38
        crypto/external/bsd/openssh/dist/auth2-pubkeyfile.c up to 1.5

    [130 lines not shown]

   Note update of xz to 5.8.3 (ticket #270)

   Pull up the following, requested by christos in ticket #270:

        external/public-domain/xz/dist/doc/examples/11_file_info.c up to 1.1.1.1
        external/public-domain/xz/dist/po/pt_BR.gmo     up to 1.1.1.1
        external/public-domain/xz/dist/po/ca.gmo        up to 1.1.1.1
        external/public-domain/xz/dist/po/ca.po         up to 1.1.1.1
        external/public-domain/xz/dist/po/da.gmo        up to 1.1.1.1
        external/public-domain/xz/dist/po/da.po         up to 1.1.1.1
        external/public-domain/xz/dist/po/eo.gmo        up to 1.1.1.1
        external/public-domain/xz/dist/po/eo.po         up to 1.1.1.1
        external/public-domain/xz/dist/po/es.gmo        up to 1.1.1.1
        external/public-domain/xz/dist/po/es.po         up to 1.1.1.1
        external/public-domain/xz/dist/po/fi.gmo        up to 1.1.1.1
        external/public-domain/xz/dist/po/fi.po         up to 1.1.1.1
        external/public-domain/xz/dist/po/hr.gmo        up to 1.1.1.1
        external/public-domain/xz/dist/po/hr.po         up to 1.1.1.1
        external/public-domain/xz/dist/po/hu.gmo        up to 1.1.1.1
        external/public-domain/xz/dist/po/hu.po         up to 1.1.1.1
        external/public-domain/xz/dist/po/ka.gmo        up to 1.1.1.1

    [524 lines not shown]

   Tickets #1253 - #1265

   Tickets #2008, #2009 and #2011

   Pull up following revision(s) (requested by mrg in ticket #1265):

        libexec/httpd/CHANGES: revision 1.57
        libexec/httpd/daemon-bozo.c: revision 1.23
        libexec/httpd/bozohttpd.8: revision 1.101
        libexec/httpd/lua-bozo.c: revision 1.16
        libexec/httpd/auth-bozo.c: revision 1.29
        libexec/httpd/bozohttpd.h: revision 1.74
        libexec/httpd/ssl-bozo.c: revision 1.35
        libexec/httpd/ssl-bozo.c: revision 1.36
        libexec/httpd/ssl-bozo.c: revision 1.37
        libexec/httpd/bozohttpd.c: revision 1.150
        libexec/httpd/bozohttpd.c: revision 1.151
        libexec/httpd/bozohttpd.c: revision 1.152

   Fix iteration over protos[] to prevent out-of-bounds access

   Fix use-after-free in the "<a  rel="nofollow" href="http://"">http://"</a>; case


    [18 lines not shown]

libsquish: removed; imported into base

   Added graphics/libsquish; Updated games/vcmi

   vcmi: updated to 1.7.3

   1.7.3

   Stability

   Fixed crash on Master Genie spellcasting attempts
   Fixed random crash on startup due to preloading of .def assets
   Fixed crash when attempting to start HotA 1.8 map while having older version of HotA mod active
   Fixed crash on switching to or from fullscreen mode while rebinding spell for quick spell panel in combat
   Fixed crash on invalid string in creature recruitment title
   Fixed crash on Heroes Chronicles import failure on iOS
   Fixed crash on starting Deus Ex Machina scenario of Forged of Fire campaign from HotA
   Fixed crash on removing boat of a hero that starts map on water in HotA maps
   Fixed crash on Linux on attempt to use middle mouse in the backpack
   Fixed rare crash on opening custom campaigns map list while player has multiple mods active
   Fixed rare crash on mod conflict detection testing
   Fixed rare crash on closing of video playback
   Fixed rare crash on updating minimap view

    [40 lines not shown]

   libsquish: added version 1.15.1.3

   The squish library (primarily known by libsquish) is an open source DXT/S3TC
   compression library written in C++ that is commonly used with OpenGL and
   DirectX for the lossy compression of RGBA textures.

   doc: Updated editors/ait to 1.15

   ait: update to 1.15

   Packaging updates:
   - NotABug died due to AI, moved upstream elsewhere

   Upstream updates:
   New:
   - added register system
     - set the registers location via -r
     - Use C-x r [s,i,<spc>,f,j,m,e,k,c,?] to use.
   - indent/un-indent by single space
     - using the spacebar to indent and backspace to un-indent
   - support commands and keybindings via -c
   - dynamic-expand now supports completing words that contain any
     symbol in the Symbols Allowed In Variables (saiv) of the syntax
     mode. It will always assume an underscore (_) is valid since all
     common programming languages support it as a variable symbol.
   - illumOS support


    [7 lines not shown]

   Updated devel/wabt, textproc/hunspell

   hunspell: updated to 1.7.3

   Hunspell 1.7.3 release:
   - Fix stack-buffer-overflow in Hunzip::getline (reported and fixed
     by MarkLee131)
   - Fix stack overflow in compound_check on Hungarian dictionaries
     under certain conditions (reported by Anthropic via Ada Logics)
   - Fix UB when SFX condition starts with '^'
   - Bounds-check continuation bytes in u8_u16
   - oss-fuzz timeout/OOM hardenings
   - Fix 715 CHECKCOMPOUNDCASE considers digits uppercase
   - Fix 748 hzip: cannot write file
   - Fix 1024 std::string bounds check
   - Fix 1044 tools/analyze crash
   - Fix 1076 flags 65520/65521 wrongly rejected
   - Fix 1058 don't suggest the input word as its own correction
   - Fix 1002 exact word marked as a near miss
   - Fix tdf125600 dotted-I regression
   - Partial Unicode table refresh for Mc combining marks

    [14 lines not shown]

   Update for bind update (ticket #269)

   wabt: updated to 1.0.41

   1.0.41

   Implement quoted identifier parsing
   feat(demo): Run js in worker in wat2wasm demo
   Refactor browser demos and Emscripten build output
   Fix wasm2wat demo
   Cleanup how emscripten is invoked
   [demo] Use arrow functions
   Fix Emscripten warnings by removing deprecated writeAsciiToMemory
   [wasm2c] Fix exception testing on macOS
   bug fix for wat2wasm demo to remove call to module.resolveNames
   [wast-parser] Optimize Consume()
   Move filename out of Location
   Add declaration limit checks to parser
   [lexer] Simplify GetLineOffsets
   Remove debug-parser option and other unused variables
   Use unsigned line info in Locations

    [3 lines not shown]